Hi,
My switches are configured as follows
vlan 10
name "DATA"
ip address 10.1.10.1 255.255.255.0
exit
vlan 11
name "VOICE"
tagged A1-A5
ip address 10.1.11.1 255.255.255.0
voice
exit
vlan 12
name "GUEST"
untagged A1-A5"
ip address 10.1.12.1 255.255.255.0
exit
radius-server host 10.1.254.1
aaa authentication port-access eap-radius
aaa port-access authenticator A1-A5
aaa port-access authenticator A1-A5 client-limit 3
aaa port-access authenticator active
aaa port-access mac-based A1-A5
aaa port-access mac-based A1 unauth-vid 40
aaa port-access mac-based A2 unauth-vid 40
aaa port-access mac-based A3 unauth-vid 40
aaa port-access mac-based A4 unauth-vid 40
aaa port-access mac-based A5 unauth-vid 40
aaa port-access A1 mixed
aaa port-access A2 mixed
aaa port-access A3 mixed
aaa port-access A4 mixed
aaa port-access A5 mixed
My goals are as follows:
1) IP phones with pass-through ports to authenticate via MAC address and tag traffic on the voice VLAN 11
2) Trusted PCs to connect the IP phones and authenticate using 802.1x EAP-TLS and connect to radius assigned VLAN 10
3) Untrusted devices to connect to the unauth VLAN
Everything works well apart from two fustrating things. The first is that when the IP phone is connected, it successfully authenticates and tags packets on VLAN 11, the IP phone is up and connects to our IP PBX. When a trusted client connects to the IP phone pass-through port and passes EAP-TLS authentication, the IP phone unauthenticates and reauthenticates which causes the phone to drop from the network, I can only assume that this happens when the untagged VLAN on the port changes from the guest VLAN 11 to the data VLAN 10. This does not happen when either the unauth-vid or mixed commands are removed.
The second is that after the trusted client disconnects from the pass-through port and is replaced with an untrusted client, the unstrusted client cannot connect to the unauth VLAN, the 'show port-access mac-based client' only displays the IP phone. The only workaround is to then disconnect and reconnect the IP phone from the switch, this then allows both the IP phone and untrusted client to connect.
Has anyone experienced these problems? I have tried various different firmware on the switches but the behaviour is the same. I have also tried changing some of the times and forcing periodic reauthentication but nothing helps
#mac-based#unauth#VLAN#802.1x#guest